Potential impact with bmcweb pam config change
Lei Yu
yulei.sh at bytedance.com
Wed Jan 10 13:48:46 AEDT 2024
This email describes a change in bmcweb's pam config file and the
potential impact of the user login.
# Background
See details at https://gerrit.openbmc.org/c/openbmc/bmcweb/+/68562
In short, the previous bmcweb pam config is incorrect, and a user
without the `web/redfish` group could log in to bmcweb.
# Potential impact
With the change, users without the `redfish` group will **NOT** be
able to login to bmcweb anymore.
If an old BMC is upgraded with this change, and if the previous BMC
users were created without the `redfish` group, such users will be
locked out from bmcweb.
# Questions
The questions to discuss:
1. Are there real cases in which BMC users were created without the
`redfish` group?
2. If yes, how to migrate from the old BMC without any accident
lockout, and still enforce the `redfish` group check?
--
BRs,
Lei YU
More information about the openbmc
mailing list